If your business uses cloud software, employs remote workers abroad, or shares customer data with overseas partners, you may be making “restricted transfers” under UK GDPR without realising it.
On 15 January 2026, the ICO published updated guidance on international transfers of personal data. The update simplifies a notoriously confusing area of data protection law, introducing a clear three-step test to help organisations determine whether the transfer rules apply to them.
This article explains what’s changed, whether you’re affected, and what you need to do about it.
What Is a Restricted Transfer?
A restricted transfer occurs when you send personal data from the UK to a recipient outside the UK. When this happens, UK GDPR Chapter V requires you to take additional steps to protect that data.
The ICO’s updated guidance introduces a straightforward three-step test to determine if you’re making a restricted transfer:
Step 1: Does UK GDPR apply to your processing of the personal data you’re sending?
Step 2: Are you the organisation sending personal data to another organisation outside the UK?
Step 3: Is the recipient a separate legal entity from you?
If you answer “yes” to all three questions, you’re making a restricted transfer and the transfer rules apply.
The third step is worth noting. Transfers within your own organisation (for example, to your own overseas branch) are not restricted transfers. But sending data to a separate company – even a group subsidiary – triggers the rules.
Are You Making Restricted Transfers?
Many businesses transfer personal data internationally without realising it. Here are common scenarios that trigger the rules:
Cloud software and SaaS tools. If you use US-based services like Salesforce, HubSpot, Mailchimp, or Google Workspace, your customer and employee data may be processed on servers outside the UK. Each of these involves a transfer to a separate legal entity abroad.
Outsourced services. Call centres, IT support companies, or payroll providers based overseas will receive personal data from you as part of the service arrangement. If they’re a separate legal entity outside the UK, the transfer rules apply.
Group companies. Sharing employee or customer data with a parent company, subsidiary, or sister company in another country counts as a restricted transfer because they are separate legal entities.
International clients and partners. Sending personal data to clients or business partners outside the UK – even within Europe – requires you to consider the transfer rules.
The ICO plans to release an interactive tool to help organisations identify whether they’re making restricted transfers. Until then, the three-step test provides a practical way to assess your arrangements.
What You Need to Do
If you’re making restricted transfers, you have three main options to ensure compliance.
Check for an Adequacy Decision
The simplest route. The UK government has recognised certain countries as providing adequate data protection. Transfers to these countries can proceed without additional safeguards.
The list includes all EEA countries, plus others like Japan, South Korea, and Switzerland. The EU recently renewed its adequacy decisions for the UK until December 2031, meaning data can continue flowing freely between the UK and EU.
For the US, transfers are permitted under the UK Extension to the EU-US Data Privacy Framework – but only to US organisations that have self-certified under that framework. Check your US provider’s privacy policy or the Data Privacy Framework list to confirm their certification status.
Use Appropriate Safeguards
For transfers to countries without adequacy, you’ll need contractual protections. The main mechanism is the International Data Transfer Agreement (IDTA), a standard contract approved by the ICO. If your supplier already uses EU Standard Contractual Clauses, you can add the UK Addendum instead of replacing the entire agreement.
Complete a Transfer Risk Assessment
Previously called a Transfer Risk Assessment (TRA), the Data (Use and Access) Act 2025 now refers to this as a “data protection test.” You must assess whether the destination country’s laws could undermine the protections in your contract. For transfers to adequacy countries, this assessment is minimal. For others, you’ll need to consider local surveillance laws and enforcement risks.
Next Steps
The ICO’s updated guidance makes international transfers easier to understand, but it doesn’t change your obligations. If you haven’t reviewed your data flows recently, now is a good time.
Start by mapping where personal data goes when it leaves your organisation. Apply the three-step test to each flow. For any restricted transfers you identify, check whether an adequacy decision applies or whether you need contractual safeguards in place.
The ICO is hosting a webinar on 10 March 2026 to explain the changes and offer practical advice for those managing restricted transfers. Further guidance on transfer risk assessments and cloud services is expected later this year.
